managed trusted internet protocol service (mtips ... › asset › gsaeis › redacted ›...
TRANSCRIPT
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
i
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Managed Trusted Internet Protocol Service (MTIPS)
Enterprise Infrastructure Solutions (EIS) Risk
Management Framework Plan (RMFP)
Network Services and Network Management
Systems in accordance with (IAW) C.2.8.4.5
(NIST FIPS 199 High-Impact Baseline)
Version 1.0
November 4, 2016
Prepared by
Qwest Government Services, Inc. dba CenturyLink QGS 4250 North Fairfax Drive
Arlington, VA 22203
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
i
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
TABLE OF CONTENTS
Revision History .............................................................................................................. iii
Step 1—Define the Security System ............................................................................... 1 Task 1-1—Security Categorization ....................................................................... 1
Information System Owner ........................................................................ 3 Task 1-2—Information System Description .......................................................... 4
System Environment .................................................................................. 7 Task 1-3—Information System Registration ....................................................... 18
Step 2—Select Security Controls .................................................................................. 19 Task 2-1—Common Control Identification .......................................................... 19
Overall CenturyLink Infrastructure ........................................................... 22 Task 2-2—Security Control Selection ................................................................. 31
Task 2-3—Monitoring Strategy ........................................................................... 31 Access Monitoring ................................................................................... 32
File Integrity and Configuration Monitoring .............................................. 32 Network Monitoring .................................................................................. 33
Automated Inventory Monitoring .............................................................. 33 Real-Time Alerts ...................................................................................... 33 Security Vulnerability Scanning ............................................................... 34
Security Penetration Testing (C.2.8.4.5.4 (20, 22)) .................................. 34 Task 2-4—Security Plan Approval ...................................................................... 35
Step 3—Implement Security Controls ........................................................................... 35 Task 3-1—Security Control Implementation ....................................................... 35
Task 3-2—Security Control Documentation ....................................................... 37
Step 4—Assess Security Controls ................................................................................ 37
Task 4-1—Assessment Preparation ................................................................... 37 Task 4-2—Security Control Assessment ............................................................ 37 Task 4-3—Security Assessment Report (C.2.8.4.5.4 (19)) ................................. 38 Task 4-4—Remediation Actions ......................................................................... 38
Step 5—Authorize Information System ......................................................................... 38
Task 5-1—Plan of Action and Milestones ........................................................... 38 Task 5-2—Security Authorization Package (C.2.8.4.5.3, C.2.8.4.5.4
(1 through 27)) ........................................................................................ 38 Task 5-3—Risk Determination ............................................................................ 41 Task 5-4—Risk Acceptance ............................................................................... 42
Step 6—Monitor Security Controls ................................................................................ 42 Task 6-1—Information System and Environment Changes ................................ 42
Task 6-2—Ongoing Security Control Assessments ............................................ 43 Task 6-3—Ongoing Remediation Actions (C.2.8.4.5.4 (24)) .............................. 44 Task 6-4—Key Updates ..................................................................................... 44
Task 6-5—Security Status Reporting ................................................................. 44 Task 6-6—Ongoing Risk Determination and Acceptance ................................... 44 Task 6-7—Information System Removal and Decommissioning ........................ 45
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
ii
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
LIST OF FIGURES
Figure 1. MTIPS 2.0 Standard Portal A&A Boundary ...................................................... 7
Figure 2. MTIPS 2.0 Augment Portal A&A Boundary ...................................................... 8
Figure 3. MTIPS 2.0 Standard Portal Traffic Flow. .......................................................... 9
Figure 4. MTIPS 2.0 Augment Portal Traffic Flow ......................................................... 10
Figure 5. SOC Site 1 Logical Detail (San Diego) ........................................................... 11
Figure 6. SOC Site 2 Logical Detail (Columbia, MD) ..................................................... 12
Figure 7. Site Physical Detail San Diego ....................................................................... 13
Figure 8. Site Physical Detail Columbia, MD ................................................................. 14
LIST OF TABLES
Table 1. MTIPS Information Type Categorization ........................................................... 2
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
iii
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
REVISION HISTORY
Revision Revision Description Authors Approval Date
1.0 Original Release Robert Ellis Peggy Macdonald 02/22/2016
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
1
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
STEP 1—DEFINE THE SECURITY SYSTEM
TASK 1-1—SECURITY CATEGORIZATION
The General Services Administration (GSA) assigned an information sensitivity
category for Managed Trusted Internet Protocol Service (MTIPS) based on the federal
government requirement and Federal Information Processing Standard (FIPS) 199.
FIPS 199 requires MTIPS security to safeguard data and information from unauthorized
disclosure, protect data from unauthorized modification, and ensure that services are
available to meet mission requirements.
Protection ratings are determined for each of these three categories:
Confidentiality: MTIPS contains information that requires protection from
unauthorized disclosure
Integrity: MTIPS contains information that must be protected from unauthorized,
unanticipated, or unintentional modification
Availability: MTIPS contains information or provides services that must be
available on a timely basis to meet mission requirements, or to avoid substantial
losses
MTIPS is rated as one of the following:
High: the loss of confidentiality, integrity, or availability could expect to have a
severe or catastrophic adverse effect on organization operations, organizational
assets, or individuals
Moderate: the loss of confidentiality, integrity, or availability could expect to have
a serious adverse effect on organizational operations, organizational assets, or
individuals
Low: the loss of confidentiality, integrity, or availability could expect to have
limited adverse effect on organizational operations, organizational assets, or
individuals
To determine the information types that MTIPS will potentially handle, GSA used
National Institute of Standards and Technology (NIST) Special Publication (SP) 800-60
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
2
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Volume 1 Revision 1, Guide for Mapping Types of Information and Information Systems
to Security Categories, and Volume 2 Revision 1, Appendices to Guide for Mapping
Types of Information and Information Systems to Security Categories. Following the
Office of Management and Budget’s (OMB) Federal Enterprise Architecture (FEA)
Business Reference Model (BRM), GSA determined that the MTIPS business areas will
deliver services and manage resources, serving in a supportive role to an agency’s
mission but not directly processing any agency mission-based information types.
The information types that MTIPS will potentially handle with associated provisional
impact levels, due to loss of any of the three security objectives (confidentiality, integrity,
and availability), are shown in Table 1. The high watermark method was used to
determine the overall information categorization.
Table 1. MTIPS Information Type Categorization
Information Type Confidentiality Integrity Availability
Contingency planning Low Low High
Continuity of operations Low Low High
Service recovery Low Low High
Goods acquisition Low Moderate Low
Inventory control Low Moderate Low
Logistics management Low Moderate Low
Services acquisition Moderate Moderate Low
System development Moderate Moderate Low
Life cycle/change management Low Moderate Moderate
System maintenance High Moderate Moderate
Information technology (IT) infrastructure maintenance High High High
MTIPS security Moderate Moderate High
Record retention Moderate High Low
Information management Moderate Moderate Moderate
System and network monitoring High High High
Information sharing Moderate Moderate Moderate
Overall information categorization High High High
As part of the MTIPS system development life cycle (SDLC) and security
assessment and authorization (A&A) processes, CenturyLink periodically reviews the
list of information types to add and remove data types, as necessary, and update the
impact to the above security objectives.
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
3
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
In summary, the MTIPS overall sensitivity rating is high based on the following:
Requirements for confidentiality, integrity, and availability protections
Related level of sensitivity
Highest magnitude of harm directly resulting from loss, misuse, modification to,
or unauthorized access to information on MTIPS
Information System Owner
GSA
Name: Kevin Gallo
Title: GSA System Owner
Agency: GSA
Address: 1800 F Street NW, Washington, DC 20450
Email Address: [email protected]
Phone Number: 703-306-6616
CenturyLink
Name: Tim Meehan
Title: Vice President
Agency: Qwest Government Services, Inc. dba CenturyLink QGS
Address: 4250 N Fairfax Drive, Arlington, VA 22203
Email Address: [email protected]
Phone Number: 703-363-8755
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
7
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
System Environment
Figure 1. MTIPS 2.0 Standard Portal A&A Boundary
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
8
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Figure 2. MTIPS 2.0 Augment Portal A&A Boundary
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
9
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Figure 3. MTIPS 2.0 Standard Portal Traffic Flow.
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
10
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Figure 4. MTIPS 2.0 Augment Portal Traffic Flow
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
18
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
TASK 1-3—INFORMATION SYSTEM REGISTRATION
The registration process will begin with the definition of the A&A (or authorization)
boundary in the Security Assessment Boundary and Scope Document (BSD), as
referenced in RFP Section C.2.8.4.5.4 (2). This section identifies the information system
and subsystems in the system inventory and establishes a relationship between the
information system and the parent or governing organization that owns, manages,
and/or controls the system.
The information system owner has primary responsibility for registering each EIS
information system that supports network services and network management systems.
Primary Responsibility: CenturyLink Information System Owner
Name: Tim Meehan
Title: Vice President
Agency: Qwest Government Services, Inc. dba CenturyLink QGS
Address: 4250 N Fairfax Drive, Arlington, VA 22203
Email Address: [email protected]
Phone Number: 703-363-8755
Supporting Roles: CenturyLink Information Systems Security Officer (ISSO)
Name: Robert Ellis
Title: Information System Security Officer (ISSO)
Agency: Qwest Government Services, Inc. dba CenturyLink QGS
Address: 931 14th Street, Suite 1000B, Denver, CO 80202
Email Address: [email protected]
Phone Number: 720-578-2110
GSA Information System Security Manager (ISSM)
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
19
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
Name: David Trzcinski
Title: Information Systems Security Manager
Agency: GSA
Address: 1800 F Street, NW, Washington, DC 20405
Email Address: [email protected]
Phone Number: 703-306-6354
GSA ISSO
Name: William Olson
Title: Systems and Security Program Manager
Agency: GSA
Address: 1800 F Street, NW, Washington, DC 20405
Email Address: [email protected]
Phone Number: 703-306-6393
GSA personnel have performed the security categorization of the MTIPS information
systems, which are determined to be FIPS 199 high impact.
STEP 2—SELECT SECURITY CONTROLS
TASK 2-1—COMMON CONTROL IDENTIFICATION
Common controls inherited within the MTIPS system authorization boundary will
include
Physical security controls
Environmental controls
Centralized authentication mechanisms
– SecurID
– Active directory
Continuous monitoring systems
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
39
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
800-53 Control Tailoring Workbook (CTW) (C.2.8.4.5.4 (4))
800-53 Control Summary Table (C.2.8.4.5.4 (5))
System Inventory (hardware, software, and related information) (C.2.8.4.5.4 (7))
Security Incident Response Plan (IRP) (C.2.8.4.5.4 (15))
Security Incident Response Test Plan
Security Incident Response Test Report (C.2.8.4.5.4 (16))
Supply Chain Risk Management (SCRM) Plan ((C.2.8.4.5.4 (17))
Contingency Plan (CP), including the Disaster Recovery Plan (DRP) and
Business Impact Assessment (BIA) (C.2.8.4.5.4 (8))
Contingency Plan Test Plan (CPTP) (C.2.8.4.5.4 (9))
Contingency Plan Test Report (CPTPR) (C.2.8.4.5.4 (10))
Interconnection Security Agreements (ISA) (C.2.8.4.5.4 (3))
Configuration Management Plan (CMP) (C.2.8.4.5.4 (12))
Systems Baseline Configuration Standard Document (C.2.8.4.5.4 (13))
Audit Monitoring Program
Continuous Monitoring Program (security risk mitigation) (C.2.8.4.5.4 (18))
– Access monitoring
– Configuration Monitoring
– Vulnerability Monitoring (Scanning)
– Third-Party Penetration Test Report
– Automated reporting to customer (if customer is prepared for it)
Continuous Monitoring Plan
e-Authentication documents
– e-Authentication Executive Summary
– e-Authentication Detail Report
– e-Authentication Risk and Requirements Assessment Tool (database file)
Independent External Penetration Test and Report (C.2.8.4.5.4 (20))
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
40
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
User Access Authorization and Management Process
Personnel Security Procedures
Suitability Report (employee background investigation report)
Security Test and Evaluation Plan (ST&E Plan)
Security Test and Evaluation Report (ST&E Report) or Security Assessment
Report (SAR) (C.2.8.4.5.4 (6))
Annual FISMA Assessment (conducted per GSA CIO IT Security Procedural
Guide 04-26, “FISMA Implementation.”) (C.2.8.4.5.4 (25))
In addition to the items above that are already included in our security A&A package
or as deliverables, CenturyLink will include the following in its EIS MTIPS security A&A
package or provide as deliverables:
Code Review Report (if applicable) (C.2.8.4.5.4 (21))
Monthly Reports on SCAP Common Configuration Enumerations (CCE) (NIST
SP 800-53 R4: CM-6) (C.2.8.4.5.4 (26))
Monthly Reports on SCAP Common Platform Enumeration (CPE) (NIST SP 800-53
R4: CM-8) (C.2.8.4.5.4 (26))
Monthly Reports on SCAP Common Vulnerabilities and Exposures (CVE) (NIST
SP 800-53 R4: CM-8) (C.2.8.4.5.4 (26))
Independent Internal Penetration Test and Report (C.2.8.4.5.4 (20))
Document Management (C.2.8.4.5.4 (27))
CenturyLink develops and maintains all current policy and procedure documents, as
outlined in the specified NIST documents and applicable GSA IT Security Procedural
Guides. For EIS, they will be verified and reviewed during the initial security
assessment, and updates will be provided to the GSA Contracting Officer's
Representative (COR)/ISSO/ISSM biennially to include the following.
Access Control Policy and Procedures (NIST SP 800-53 R4: AC-1)
Security Awareness and Training Policy and Procedures (NIST SP 800-53 R4:
AT-1)
Enterprise Infrastructure Solutions
Volume 1—Technical Volume—EIS MTIPS Risk Management Framework Plan
SFA# 52021671/NSP# 80162 RFP No.: QTA0015THA3003
45
SENSITIVE BUT UNCLASSIFIED
November 4, 2016
Data contained on this page is subject to the restrictions on the title page of this proposal.
TASK 6-7—INFORMATION SYSTEM REMOVAL AND DECOMMISSIONING
CenturyLink follows a system-removal and decommissioning policy and procedures
that ensure all data are securely erased or destroyed before storage elements leave
CenturyLink premises.